Gretchen Herault is senior privacy counsel at GE Healthcare, responsible for data privacy issues in the U.S. and Canada. The company is subject to the Health Insurance Portability and Accountability Act, known as HIPAA; the European Union's General Data Protection Regulation, or GDPR; and will be subject to the California Consumer Privacy Act, or CCPA, when it goes into effect in January 2020.

Herault spoke to Corporate Counsel about the possibility of federal privacy legislation and the benefits to early adoption of privacy laws. This conversation has been edited for length and clarity.

Corporate Counsel: Would compliance with a federal data privacy law, in your opinion, be easier than having to comply with different state laws?

Gretchen Herault: I think a federal data privacy law would help quite a bit. I think the reason we're seeing more activity at the state level currently is, in large part, a response to a lack of federal legislation. The states want to be seen as doing what they can to protect individuals and are going beyond even their borders by having long-armed jurisdiction with companies that do business in their state. I believe they are following the GDPR in some respect in order to raise the bar on privacy.

HIPAA has some gaps as well in terms of the types of data that it protects. The legislation itself is over 20 years old and a lot has happened in terms of technology developments that were not anticipated by the Legislature. There are not guidances in place as to how the legislation applies to current technology.

CC: What are some of those gaps within HIPAA that need to be addressed today?

GH: There is a lot of development of algorithms and artificial intelligence that companies as well as health care providers are interested in researching to see if there are faster or better ways to diagnose patients with specific illnesses. I think there is a need for some sharing of information in order to develop certain advances. It's very difficult within the framework of HIPAA to do that in a compliant way and obtain the amount of data that is needed to do the research.

I think it's understood that a privacy violation from HIPAA is quite a serious matter and companies that work in this industry take that extremely seriously, as opposed to maybe large technology companies that we see in media a lot these days. The misuse of medical information is very serious. I believe we can all relate to that and understand how damaging that can be to an individual. I don't think there are any companies out there that [are] going to push the envelope to see how the regulators react.

CC: What are some best practices to make sure your business is in compliance with current and future privacy regulations?

GH: We certainly try to stay abreast of all of the legislative developments that pop up. Then we are trying to react accordingly. It is hard to predict exactly where everything will end up. It's clear that the requirements are becoming stricter. To the extent that you're working with businesspeople who may be hoping for amendments to make the requirements lighter or that the whole bill will go away, I think that's not realistic.

You should implement the requirements early if you can. That should start with an assessment of where you are so you can map out what would be needed when a bill is passed and becomes effective. Then you can start working on the easier, low-hanging-fruit items first. I think a lot of these are probably good practices anyway. We don't think it's every really a waste of time even if there is a long delay into the requirement going into effect. It just means you'll be ahead of schedule when it comes to getting into compliance.

CC: Before GDPR was put into effect, it seemed like many companies' compliance efforts were late. Do you think the same is happening with the CCPA?

GH: GDPR certainly introduced a lot of new requirements and although it had a fair amount of lead time before its enforcement date, there still wasn't a lot of guidance out there on specific aspects of it that companies were looking for. Over time it became clear that the regulators were getting ready for May 2018 and that they weren't going to be issuing guidances. You had to do the best you could in the absence of that guidance.

I think the same thing is happening with the CCPA. We don't really have time to wait around because the effective date doesn't seem to be moving at all. The guidance has been that the due date has been moved out but not the effective date. You just can't wait. You've got to start taking steps now to work toward compliance the best you can. You're going to need some kind of evidence that you did that. If you start working toward that now and create the documentation that shows that you took some steps to get started, you'll be in much better shape.

CC: What are the advantages to using software when coming into compliance with the data privacy laws?

GH: I think because our company is big we can't just do a GDPR compliance program with a spreadsheet. There are certainly tools out there to help you assess where you are. You can also automate checking your various applications to see if they have personal information and to check what kind of personal information that is. Then you can understand better which applications require review. Then you need to restore evidence of your privacy impact assessments. There are definitely tools out there that are easy for lawyers to use. There are tools that someone who is more on the technology side could leverage to help the lawyers.

Join hundreds of general counsel and senior legal leaders at the 2019 SuperConference, the premier forum designed for and by general counsel from Fortune 1000 companies.